nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Authenticating user with tacacs and Active directory

amb1s1

We have like 200 branches that we are going to have Access point just for special users. The way we have those user authenticate when trying to connect to the AP is via Tacacs, but it will be nice if those user can bee authenticate with Activate directory using Tacacs as the intermedia.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

broc

So... what's your question?

Do you want to know if it is possible? yes

How to do it? as you are already using tacacs, what product are you currently using?

amb1s1

When you saying product, what you mean with that? I just started as Jr engineer 2 weeks ago and the security is one of my weakest knowledge.

broc

You said that when your users connect to the AP, they get authenticated via tacacs. In order to do that, you need a Tacacs server somewhere in your network. Based on which server/product you are using for the authentication, I should be able to direct you on how to get it configured so that it gets it's information from AD.

amb1s1

I'm not sure because I'm not at work, but we cisco acs, but don't know what version. I would VPN in later on an find out what version and what the appliance model.

jason_lunde

You can indeed do this. Basically in ACS there is a section called "external user databases" (in my version at least). If you go in there you can map you domain to a user group (we do this dynamically for some users). You want to make sure to do your group permissions correct though, so that your AP users dont have permissions on your network devices. There is some planning that needs to go into such a deployment, and make sure to test thoroughly.

amb1s1

jason_lunde wrote: »

You can indeed do this. Basically in ACS there is a section called "external user databases" (in my version at least). If you go in there you can map you domain to a user group (we do this dynamically for some users). You want to make sure to do your group permissions correct though, so that your AP users dont have permissions on your network devices. There is some planning that needs to go into such a deployment, and make sure to test thoroughly.

I'm using ACS 4.1 and yes I have that option for external user database. I would look around to see if I find any documentation how to set it up. Before we implement any changes we always test in 3 QA labs that we have to make sure that everything is working fine.

broc

Have a look at this document:

http://www.google.co.uk/url?sa=t&source=web&cd=1&sqi=2&ved=0CBYQFjAA&url=http%3A%2F%2Fwww.cisco.com%2Fapplication%2Fpdf%2Fen%2Fus%2Fguest%2Fproducts%2Fps407%2Fc2001%2Fccmigration_09186a00801085d0.pdf&rct=j&q=cisco%20ACS%20configuration%20guide&ei=Jj7wTL3nD9K7hAelkqyDDA&usg=AFQjCNH00gJchKzhiKOycqKVw6OKCDtfAQ&sig2=2yL54p-SIRnMfyVIMJfDew

Starting at page 419, let us know if you have any question, you should be fine, the configuration is quite straight forward.

jason_lunde

any luck man?